Grouper can limit a permission to a condition in the environment or data passed to Grouper.
A limit is an attribute of type limit assigned on the permission assignment, or assigned to the role membership, or assigned to the role, or permission definition. Note: I think we could do something by permission name by assigning to the permission definition and checking the permission name in the environment (or we would need a way to assign an attribute to an attribute name).
At runtime, Grouper, or custom logic, or the caller of the API or WS could set environment variables for the request that the request logic can use.
At first, there will not be a helpful UI, but there will be a regex were things will be possible :)
For instance, a built in limit could be:
school:etc:limits:regex
When it is assigned, the value could be: $